Hi folks Ii've got an understanding problem.
# dmesg
yields lots of
"possible SYN flooding on port 25 sending cookies."
Right here goes...
I run qmail and can set the incomming concurrency value e.g.
100 to start up to 100 processes listening on port 25.
Is the syn flood:-
1. More emails trying to make a tcp connection but failing
to find a process to handle the data?
or
2. More than the kernel's default number of tcp SYN packets
coming in per second ? What is that default?
or
3. Assuming that the kernel sends a tcp SYN-ACK immediately
on receiving a SYN packet and assuming that many will be
faked IP's, is the SYN flood report based on the time it
takes to receive the ACK packet from any genuine IP's ?
(Since a SYN-ACK sent to an IP which didn't request one will
be dropped - or is that the purpose of these kernel cookies?)
All of the websites I've found which suggest an iptables
ruleset use the --limit.. as in
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j
ACCEPT
I guess this will affect genuine and spoofed IP attempted
connections.
Is there anyway of setting a snesible time for the final ACK
of the tcp handshake? (assuming that a genuine connection
request will respond quickly and a faked IP won't respond at
all)
Sorry for so many questions, feel free to answer any parts
you can.
Thanks
|
Similar Threads
Linear Mode
